Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-14833

change client keystore from jks to pkcs12 doesn't work

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Low
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Local/Config
    • Labels:
    • Environment:

      Cassandra version: 2.2.12 Java: 1.8.0_181 SLES11

    • Severity:
      Low

      Description

      Changing from JKS to PKS12 store_type doesn't work for client_encryption_options. for server_encryption_options it is not a problem.

      I use:

      client_encryption_options:
          enabled: true
          optional: false
          keystore: keystore.p12
          keystore_password: keystorepass
          truststore: truststore.p12
          truststore_password: keystorepass
          store_type: PKCS12

      but get this error:

      ERROR 06:34:36 Exception encountered during startup
      java.lang.RuntimeException: Unable to create thrift socket to /192.168.1.2:9160
      {{ at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:270) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
      {{ at org.apache.cassandra.thrift.TServerCustomFactory.buildTServer(TServerCustomFactory.java:46) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
      {{ at org.apache.cassandra.thrift.ThriftServer$ThriftServerThread.<init>(ThriftServer.java:131) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
      {{ at org.apache.cassandra.thrift.ThriftServer.start(ThriftServer.java:58) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
      {{ at org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:453) [apache-cassandra-2.2.12.jar:2.2.12]}}
      {{ at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:548) [apache-cassandra-2.2.12.jar:2.2.12]}}
      {{ at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:642) [apache-cassandra-2.2.12.jar:2.2.12]}}
      Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport
      {{ at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:210) ~[libthrift-0.9.2.jar:0.9.2]}}
      {{ at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:104) ~[libthrift-0.9.2.jar:0.9.2]}}
      {{ at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:256) ~[apache-cassandra-2.2.12.jar:2.2.12]}}
      {{ ... 6 common frames omitted}}
      Caused by: java.io.IOException: Invalid keystore format
      {{ at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) ~[na:1.8.0_181]}}
      {{ at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_181]}}
      {{ at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:215) ~[na:1.8.0_181]}}
      {{ at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_181]}}
      {{ at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_181]}}
      {{ at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:195) ~[libthrift-0.9.2.jar:0.9.2]}}
      {{ ... 8 common frames omitted}}

       

      Looks like the store_type option is not set properly for client encryption.

      If I don't use the  store_type: PKCS12 option the error accuses earlier at the startup 

      INFO 06:43:46 Enabling encrypted CQL connections between client and server
      Exception (java.lang.RuntimeException) encountered during startup: Failed to setup secure pipeline
      java.lang.RuntimeException: Failed to setup secure pipeline

      so from my point of view it looks like the option is set, but not everywhere it should.

      I also use PKCS12 stores for server encryption. It works fine there.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              MaierICC Michael Maier
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: